I do confirm the major security issues have been fixed in the latest version of the Dokan plugin.

@Mahi I just answered your email with details and a proposed security fix for this issue. Please update the plugin and advise all your users to upgrade.

Update 2: you can also wipe out all pages and articles of the site, and retitle all media. You do not need to be connected to the site. This can be performed automatically from anywhere in the world. You just need to know the address of the site, and that the Dokan plugin is installed. I advise all users to deactivate the Dokan plugin at once until it is fixed!

One of your functions is just incredibly dangerous

http://wedevs.com/support/topic/warning-dokan-major-security-issue

You need to implement Nonces, check for appropriate user credentials when handling POST requests, etc.

http://codex.wordpress.org/WordPress_Nonces

As is, this code is totally unprofessional, and a tue security hazard for any user of the Dokan plugin. This needs to be patched ASAP, and all users must be warned!

Your plugin is a security threat fo the WordPress community. Totally unappropriate for e-commerce.

I have a fixed version of the function if needed. I cannot give any more details here because of the security threat if the exploit is revealed.

@Mahmoud: please do not use this bug reporting topic for conversation.

Unfortunately I have no time to give free help.

update: you do not even need the product URL. You can just wipe out all products one by one.

If you’re using the Dokan plugin, your site is unfit for launch. Any product on a live Dokan site can be brought down, you just need the products’ public URL for that.

Yes, this is quite ironic. WordPress & Woocommerce are quite safe for e-commerce, but the Dokan plugin makes WordPress and WC completely unsafe because of really poor programming. They should have taken time to review their PHP code instead of writing such a piece of propaganda.

(I’m not one of “those guys”, I was just investigating / correcting / debugging this product for one of my clients and now we just came to the conclusion that we are facing potential disaster if we carry on with this plugin.)

This vulnerability puts all site content at risk, not only products, but any WordPress content (articles, pages,…).

I cannot give more details here for obvious security reasons, because this would put all sites using the Dokan plugin in jeopardy right away.

Dokan developers: please contact me ASAP for details (use my e-mail address).

Only the Dokan plugin has this vulnerability, the legacy Dokan theme does not seem to have this problem.

[suppressed]

Dashboard reports page breaks when the dashboard template files are overridden

This is because of this include in the reports.php template:

require_once dirname( dirname(__FILE__) ) . ‘/includes/reports.php’;

This is wrong, because when the templates are overridden, they are no longer in the Dokan plugin directory, they are in a subdirectory of the theme, so this relative path-based include can never work!

It can be corrected this way:

require_once( WP_PLUGIN_DIR . ‘/dokan/includes/reports.php’ );

Product edit page in the dashboard is broken for published products.

This is because depending on the context, the product-edit.php template is either loaded inside the shortcode (when the product is not published) or standing alone by itself (when the product is published). Of course this is completely wrong. Since the dashboard is now loaded inside a page context in a shortcode, you should not load the product-edit template as a standalone page.

You have to correct this function:
function dokan_edit_product_url()
in this file:
includes/theme-functions.php
around line 701-713

We cannot use this kind of URL anymore :
trailingslashit( get_permalink( $product_id ) ). ‘edit/’;
…because it returns the product-edit template outside the dashboard.

We always have to load the product edit template inside the dashboard shortcode!

So you must correct the function to completely bypass the old kind of URL, even when the product is published:

/**
* Get edit product url
*
* @param type $product_id
* @return type
*/
function dokan_edit_product_url( $product_id ) {
if ( false && get_post_field( ‘post_status’, $product_id ) == ‘publish’ ) {
return trailingslashit( get_permalink( $product_id ) ). ‘edit/’;
}

return add_query_arg( array( ‘product_id’ => $product_id, ‘action’ => ‘edit’ ), dokan_get_navigation_url(‘products’) );
}

NOTICE the if( false &&… ) to bypass first test. We don’t want this!

You can also simply delete lines 708-710.

NOTE: I am not sure yet if this fix has consequences elsewhere on product edit links or buttons outside the dashboard. However it is not possible to edit products outside of the dashboard anymore because of the shortcode-based dashboard in the Dokan plugin. So this has to be fixed everywhere there is a product edit link anyway.

Dashboard product listing pagination is broken in the Dokan plugin.

This is because you use a WordPress rewrite_endpoint to implement dashboard sub-pages URLs in the plugin, and WP endpoints do not support pagination. So again this is a major bug due to wrong implementation of shortcode/endpoint based dashboard admin pages in the plugin.

Since there is no way to implement pagination on WP endpoints, you have to add wp rewrite_rules somewhere to support pagination. Such as this:

/**
* Missing rewriterules for Dokan dashboard
*
*/
public function dokan_dashboard_pagination_rules() {
//@see http://wordpress.stackexchange.com/questions/67732/setting-a-custom-sub-path-for-blog-without-using-pages

add_rewrite_tag( ‘%fake_page%’, ‘([^&]+)’);

add_rewrite_rule(
‘[^/]+/products/page/?([0-9]+)/?$’,
‘index.php?fake_page=products&products=&paged=$matches[1]’,
‘top’
);
}
add_action( ‘init’, array( $this, ‘dokan_dashboard_pagination_rules’ ), 1 );

public function handle_redirect() {
global $wp;
$template = $wp->query_vars;
if (
array_key_exists( ‘fake_page’, $template ) &&
‘products’ == $template[‘fake_page’]
) {
//note: please replace with actual template used for dashboard!
include( get_stylesheet_directory() . ‘/dashboard.php’ );
exit;
}
}
add_action( ‘template_redirect’, array( $this, ‘handle_redirect’ ), 1 );

NOTE: this is just a rough code example, the rewrite rule could be better written to include the actual dashboard slug at the beginning, and there must be some way to determine the right template to use based on dokan_get_option( $page, ‘dokan_pages’ ) and the _wp_page_template meta… However I implemented it to fix our site and it works.

@Sekander : thanks. I will continue tracking the issue in the original thread.

Thanks!

I will post again in this topic if I find any other bug.